AWSTemplateFormatVersion: 2010-09-09 Description: Custom actions for Security Hub Parameters: LambdaIsolateEc2Arn: Type: String Description: ARN of Lambda for Isolation EC2 LambdaBlockPrincipalArn: Type: String Description: ARN of Lambda for Blocking Principal AlertSnsArn: Type: String Description: ARN of Sns for notificaiton S3BucketSources: Type: String Description: Sources for custom resources S3SourcesPrefix: Type: String Description: Prefix for the sources Resources: # Custom resources to create custom action CustomActions: Type: AWS::CloudFormation::CustomResource Properties: ServiceToken: !GetAtt 'CustomActionsFunction.Arn' AccountId: !Ref AWS::AccountId CustomActions: - Name: Isolate EC2 ActionId: IsolateEc2 Description: Triggers isolation of Ec2 Target: !Ref LambdaIsolateEc2Arn - Name: Send SNS ActionId: SendSns Description: Sends SNS with details Target: !Ref AlertSnsArn - Name: Block IAM Principal ActionId: BlockIamPrincipal Description: Blocks a IAM Principal Target: !Ref LambdaBlockPrincipalArn # Role to remediation CustomActionsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Path: / Policies: - PolicyName: lambda-custom PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - securityhub:CreateActionTarget - securityhub:DeleteActionTarget - securityhub:DescribeHub - events:DeleteRule - events:PutRule - events:PutTargets - events:RemoveTargets - events:RemovePermission - events:AddPermission - lambda:AddPermission - lambda:RemovePermission Resource: "*" CustomActionsFunction: Type: AWS::Lambda::Function Properties: FunctionName: !Sub SecurityHub-DefineCustomActions Description: Creates custom actions in Security Hub Handler: security_hub_custom_actions.lambda_handler Runtime: python3.7 Role: !GetAtt CustomActionsRole.Arn Timeout: 60 Code: S3Bucket: !Ref S3BucketSources S3Key: !Sub '${S3SourcesPrefix}master_lambda_functions.zip'